问题描述

我已经使用Ikev2在Azure和Cisco ASA之间配置了VPN隧道，但该隧道似乎没有出现.我可以看到阶段1进入了我们的ASA，但是阶段2失败了:

IKEv2-PLAT-2:加密映射:映射上没有代理匹配External_map2 seq 1
IKEv2-PLAT-2:加密映射:映射上没有代理匹配External_map2 seq 2
IKEv2-PLAT-2:加密映射:映射上没有代理匹配External_map2 seq 3
IKEv2-PLAT-2:加密映射:映射上没有代理匹配External_map2 seq 4
IKEv2-PLAT-2:加密映射:映射上没有代理匹配External_map2 seq 5
IKEv2-PLAT-2:加密映射:映射上没有代理匹配External_map2 seq 6
IKEv2-PLAT-2:加密映射:映射上没有代理匹配External_map2 seq 7
IKEv2-PLAT-2:加密映射:映射上没有代理匹配External_map2 seq 8
IKEv2-PROTO-1:(766):无法找到匹配的策略

ciscoasa(config)#IKEv2-PROTO-1:(766):收到的策略:
ESP:提案1: AES-GCM-256

ESP:提案2: AES-CBC-256 SHA96

ESP:提案3: 3DES SHA96

ESP:提案4:  AES-CBC-256 SHA256

ESP:提案5:  AES-CBC-128 SHA96

ESP:提案6: 3DES SHA256

IKEv2-PROTO-1:(766):无法找到匹配的策略
IKEv2-PROTO-1:(766):预期策略:
IKEv2-PROTO-5:(766):无法验证提议的策略
IKEv2-PROTO-1:(766):无法找到匹配的策略

现在，我已将VPN隧道配置为External_map2 seq 8的一部分，但不匹配.我不确定Azure平台会将哪些子网推送到Cisco ASA来协商VPN隧道.

在ASA上，我可以看到以下内容:

ciscoasa#sho cry isa sa

没有IKEv1 SA

IKEv2 SA:

会话ID:11，状态:UP-IDLE，IKE计数:135，儿童计数:0

Tunnel-id            本地            远程   状态        角色
857843849      31.221.X.XX/500    51.141.XX.XX/500     READY   响应者
    加密:AES-CBC，密钥大小:256，哈希:SHA96，DH Grp:2，验证符号:PSK，验证验证:PSK
    寿命/活跃时间:28800/13秒

这意味着第一阶段即将进行，但下一阶段没有进行谈判.

为了进行测试，我在ASA上进行了0.0.0.0 0.0.0.0，即ASA上的ANY ANY，以获取有趣的流量，并且隧道出现了，但是"any any"表示.影响了我的网站，使它们无法访问，因此我不得不回滚到上一个网站.

我什至尝试从Azure门户下载此VPN连接的VPN脚本，并在ASA上进行相应的更改，但这似乎不起作用.

我很乐意提供最终所需的任何细节.

谢谢

毗湿奴

Hi,

I have configured a VPN tunnel between the Azure and Cisco ASA using Ikev2 and the tunnel doesn't seem to come up. I can see that the phase 1 comes us on the ASA but the phase 2 fails saying this:

IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 1
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 2
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 3
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 4
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 5
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 6
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 7
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 8
IKEv2-PROTO-1: (766): Failed to find a matching policy

ciscoasa(config)# IKEv2-PROTO-1: (766): Received Policies:
ESP: Proposal 1:  AES-GCM-256

ESP: Proposal 2:  AES-CBC-256 SHA96

ESP: Proposal 3:  3DES SHA96

ESP: Proposal 4:  AES-CBC-256 SHA256

ESP: Proposal 5:  AES-CBC-128 SHA96

ESP: Proposal 6:  3DES SHA256

IKEv2-PROTO-1: (766): Failed to find a matching policy
IKEv2-PROTO-1: (766): Expected Policies:
IKEv2-PROTO-5: (766): Failed to verify the proposed policies
IKEv2-PROTO-1: (766): Failed to find a matching policy

Now, I have configured the VPN tunnel to be part of External_map2 seq 8 but it is not matching. I am not sure what subnets are being pushed by the Azure platform to Cisco ASA to negotiate the VPN tunnel.

On the ASA, I can see this:

ciscoasa# sho cry isa sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:11, Status:UP-IDLE, IKE count:135, CHILD count:0

Tunnel-id                 Local                Remote     Status         Role
857843849       31.221.X.XX/500    51.141.XX.XX/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/13 sec

This means that the Phase 1 is coming up but the next phase is not negotiating.

For testing, I did 0.0.0.0 0.0.0.0 on the ASA i.e. ANY ANY on the ASA for interesting traffic and the tunnel came up but that "any any" impacted my sites and it made them inaccessible so I had to rollback to the previous one.

I even tried to download the VPN script for this VPN connection from the Azure portal and made changes on the ASA accordingly but that doesn't seem to work.

I am happy to provide any detail that is needed from my end.

Thanks,

Vishnu

这篇关于不会在Azure和Cisco之间建立IKEv2 VPN隧道的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！